2002-04-17 20:03:43

by Frank Cornelis

[permalink] [raw]
Subject: ptrace & trap flag

Hey,

I wonder if anyone can help me out on this one.

When I ptrace a program and it has a breakpoint in it (int3) I can detect
that using PTRACE_SETOPTIONS with the option PTRACE_O_TRACESYSGOOD and
detection happens through !(WSTOPSIG(status) & 0x80).
But, when I ptrace a program and that program contains next code,
pushfl
popl %eax
orl 0x100, %eax
pushl %eax
popfl
thus setting the trap flag, then I still can detect the 'real' SIGTRAP
using !(WSTOPSIG(status) & 0x80), but when I do a PTRACE_SYSCALL on the
process, following SIGTRAPs always occur on the same EIP.
Clearing the X86_EFLAGS_TF of that process won't help it to make the
process continue 'till a next instruction.
Can anyone help me out?
The only thing I found is that the TF also makes the RF to be on.

Please CC me; I'm not on the mailing list.

Thanks in advance, Frank.